Escolar Documentos
Profissional Documentos
Cultura Documentos
The challenge is to design a structure that balances the competing needs of the communities of interest Organizations compromise to balance needs of enforcement with needs for education, training, awareness, and customer service
Principles of Information Security - Chapter 11 Slide 2
Slide 3
Organizations typically look for a technically qualified information security generalist In the information security discipline, overspecialization is often a risk and it is important to balance technical skills with general information security knowledge
Principles of Information Security - Chapter 11 Slide 4
Hiring Criteria
When hiring infosec professionals, organizations frequently look for individuals who understand:
How an organization operates at all levels Information security is usually a management problem and is seldom an exclusively technical problem People and have strong communications and writing skills The roles of policy and education and training The threats and attacks facing an organization How to protect the organization from attacks How business solutions can be applied to solve specific information security problems Many of the most common mainstream IT technologies as generalists The terminology of IT and information security
Principles of Information Security - Chapter 11 Slide 5
Today, students are selecting and tailoring degree programs to prepare for work in security Organizations can foster greater professionalism in the information security discipline through clearly defined expectations and position descriptions
Principles of Information Security - Chapter 11 Slide 6
Slide 7
Figure 11-2
Slide 8
Slide 9
Slide 10
Slide 11
Security Manager
Accountable for the day-to-day operation of the information security program Accomplishes objectives as identified by the CISO Qualifications and position requirements:
It is not uncommon to have a CISSP Traditionally, managers earned the CISSP while technical professionals earned the Global Information Assurance Certification Must have the ability to draft middle- and lower-level policies as well as standards and guidelines They must have experience in budgeting, project management, and hiring and firing They must also be able to manage technicians, both in the assignment of tasks and the monitoring of activities
Principles of Information Security - Chapter 11 Slide 12
Security Technician
Technically qualified individuals tasked to configure security hardware and software Tend to be specialized, focusing on one major security technology and further specializing in one software or hardware solution Qualifications and position requirements:
Organizations prefer the expert, certified, proficient technician Job descriptions cover some level of experience with a particular hardware and software package Sometimes familiarity with a technology secures an applicant an interview; however, experience in using the technology is usually required
Principles of Information Security - Chapter 11 Slide 13
Many candidates teach themselves through trade press books others prefer the structure of formal training
Before attempting a certification exam, do your homework and review the exam criteria, its purpose and requirements in order to ensure that the time and energy spent pursuing the certification are well spent
Principles of Information Security - Chapter 11 Slide 16
Figure 11-3
Slide 17
Slide 18
Slide 19
Slide 20
Figure 11-4
Slide 21
Job Descriptions
Inserting information security perspectives into the hiring process begins with reviewing and updating all job descriptions To prevent people from applying for positions based solely on access to sensitive information, the organization should avoid revealing access privileges to prospective employees when advertising positions
Principles of Information Security - Chapter 11 Slide 22
Interviews
An opening within Information Security opens up a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate Information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have For those organizations that include on-site visits as part of interviews, it is important to use caution when showing a candidate around the facility
Principles of Information Security - Chapter 11 Slide 23
Background Checks
A background check is an investigation into a candidates past There are regulations that govern such investigations Background checks differ in the level of detail and depth with which the candidate is examined:
Identity checks Education and credential checks Previous employment verification References checks Workers Compensation history Motor vehicle records Drug history Credit history Civil court history Criminal court history
Slide 24
Employment Contracts
Once a candidate has accepted the job offer, the employment contract becomes an important security instrument Many security policies require an employee to agree in writing
If an existing employee refuses to sign these contracts, the security personnel are placed in a difficult situation
New employees, however may find policies classified as employment contingent upon agreement, whereby the employee is not offered the position unless he/she agrees to the binding organizational policies
Principles of Information Security - Chapter 11 Slide 26
Performance Evaluation
To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations Employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level
Principles of Information Security - Chapter 11 Slide 29
Termination
When an employee leaves an organization, there are a number of security-related issues The key is protection of all information to which the employee had access When an employee leaves, several tasks must be performed:
Access to the organizations systems disabled Removable media returned Hard drives secured File cabinet locks changed Office door lock changed Keycard access revoked Personal effects removed from the organizations premises
Once cleared, they should be escorted from the premises In addition many organizations use an exit interview
Principles of Information Security - Chapter 11 Slide 30
Hostile Departure
Hostile departure (nonvoluntary)- termination, downsizing, lay off, or quitting:
Before the employee is aware all logical and keycard access is terminated As soon as the employee reports for work, he is escorted into his supervisors office Upon receiving notice, he is escorted to his area, and allowed to collect personal belongings Employee asked to surrender all keys, keycards, and other company property They are then escorted out of the building
Slide 31
Friendly Departure
Friendly departure (voluntary) for retirement, promotion, or relocation:
employee may have tendered notice well in advance of the actual departure date actually makes it more difficult for security to maintain positive control over the employees access and information usage employee access is usually allowed to continue with a new expiration date employees come and go at will and collect their own belongings, and leave on their own They are asked to drop off all organizational property on their way out the door
Principles of Information Security - Chapter 11 Slide 32
Termination
In all circumstance, the offices and information used by the employee must be inventoried, their files stored or destroyed, and all property returned to organizational stores It is possible that the employees foresee departure well in advance, and begin collecting organizational information or anything that could be valuable in their future employment Only by scrutinizing systems logs after the employee has departed, and sorting out authorized actions from systems misuse or information theft can the organization determine if there has been a breach of policy or a loss of information In the event that information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed
Principles of Information Security - Chapter 11 Slide 33
Slide 34
Temporary Employees
Temporary employees are hired by the organization to serve in a temporary position or to supplement the existing workforce As they are not employed by the host organization, they are often not subject to the contractual obligations or general policies and if these individuals breach a policy or cause a problem actions are limited From a security standpoint, access to information for these individuals should be limited to that necessary to perform their duties Ensure that the temps supervisor restricts the information to which they have access
Principles of Information Security - Chapter 11 Slide 35
Contract Employees
Contract employees are typically hired to perform specific services for the organization The host company often makes a contract with a parent organization rather than with an individual for a particular task In a secure facility, all contract employees are escorted from room to room, as well as into and out of the facility There is also the need for certain restrictions or requirements to be negotiated into the contract agreements when they are activated
Principles of Information Security - Chapter 11 Slide 36
Consultants
Consultants should be handled like contract employees, with special requirements for information or facility access requirements integrated into the contract before these individual are allowed outside the conference room Security and technology consultants especially must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization Just because you pay a security consultant, doesnt make the protection of your information his or her number one priority
Principles of Information Security - Chapter 11 Slide 37
Business Partners
Businesses find themselves in strategic alliances with other organizations, desiring to exchange information, integrate systems, or simply to discuss operations for mutual advantage There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom Nondisclosure agreements and the level of security of both systems must be examined before any physical integration takes place, as system connection means that the vulnerability of one system is the vulnerability of all
Principles of Information Security - Chapter 11 Slide 38
Figure 11-6
Slide 40